httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filipe Cifali <cifali.fil...@gmail.com>
Subject Re: [users@httpd] How to serve https only? Is this correct?
Date Thu, 12 Jul 2012 15:10:16 GMT
If you want no traffic, don't listen.

Block on firewall w/ tcp-reject and don't use Apache to listen to http.

A more "friendly" way is to redirect VIA firewall all --dport 80 to --dport
443.

2012/7/12 Tom Browder <tom.browder@gmail.com>

> On Thu, Jul 12, 2012 at 9:08 AM, Mark Montague <mark@catseye.org> wrote:
> > On July 12, 2012 8:02 , Tom Browder <tom.browder@gmail.com> wrote:
> >> On Thu, Jul 12, 2012 at 6:37 AM, Nick Kew<nick@webthing.com>  wrote:
> >>> On 12 Jul 2012, at 12:02, Tom Browder wrote:
> >>>
> >>>> I want to have NO http traffic on my site.  Is this the correct way
> to...
> ...
> > Nick's answer is the correct and literal answer.  The "single solution
> for
> > HTTPS only" that you are looking for is:
> >
> > - Delete any Listen directive for port 80 and also
> > - Delete any VirtualHost stanza for port 80 (for example, your
> "<VirtualHost
> > *:80>" stanza.
> ...
> > The configuration you posted in your original message will accept HTTP
> > traffic and redirect all of it to the HTTPS virtual host.  This is the
> > "standard" and "user friendly" solution that most sites which want to
> secure
> > all of their pages implement, but note that the initial redirects all
> occur
> > over HTTP and so you are still accepting some small amount of HTTP
> traffic.
> > The reasons you want to have no HTTP traffic on your site are important
> to
> > consider in order to choose the best overall solution:   If port 80 is
> > blocked at your firewall, or if you are concerned about people taking
> > advantage of some theoretical (and unlikely) security hole in Apache HTTP
> > Server that is exploitable over HTTP but not over HTTPS, then you'd want
> the
> > solution Nick presented.
>
> Thanks for the reply, Mark.
>
> I like the "friendly" approach, but I made the statement. "I want to
> have NO http traffic on my site," because I saw in a post from a
> Mozilla Persona site a reference to another link that there is a
> possibility of a man-in-the-middle attack using it.
>
> Best regards,
>
> -Tom
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


-- 
[]'s

Filipe Cifali Stangler

Mime
View raw message